Client secret for Django oauth -
i using django oauth toolkit , django rest oauth authentication mobile app. accessing protected resource client id , secret of app required . should store client secret. storing in apk unsafe can decompiled. obfuscation can reverse engineered . whats best , safe way serve client secret app.
it isn't extremely important keep client id hidden, right not save client secret somewhere in app. exposing compromise security.
in case, set oauth app uses password grant type (my personal preference), or have user authenticate server grant them expirey access token use future requests. these 2 different "oauth flows" common mobile apps.
there's awkwardly titled slideshow thought had useful illustrations describe use of oauth mobile apps.
Comments
Post a Comment